Make Element#innerText to use CHECK at StringView construction
This patch converts use-after-tree to CHECK() by changing Element#innerText
to cause CEHCK() instead of DCHECK in StringView constructor to avoid
use-after-tree.
Note: We are not sure of root causes both use-after-free tree and wrong
StringView constructor call.
Bug: 964464
Change-Id: If4d289c8f6fe4072c1869553cd952d0c153a3369
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1619510
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Commit-Queue: Koji Ishii <kojii@chromium.org>
Auto-Submit: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#661314}
diff --git a/third_party/blink/renderer/core/editing/element_inner_text.cc b/third_party/blink/renderer/core/editing/element_inner_text.cc
index e9d234b2..bf528002f 100644
--- a/third_party/blink/renderer/core/editing/element_inner_text.cc
+++ b/third_party/blink/renderer/core/editing/element_inner_text.cc
@@ -255,6 +255,10 @@
const NGOffsetMapping* const mapping = GetOffsetMapping(layout_text);
const NGMappingUnitRange range = mapping->GetMappingUnitsForNode(text_node);
for (const NGOffsetMappingUnit& unit : range) {
+ // TODO(yosin): Once |NGOffsetMapping| holds valid entries, we should remove
+ // following |CHECK|s. See http://crbug.com/964871
+ CHECK_LE(unit.TextContentStart(), mapping->GetText().length());
+ CHECK_LE(unit.TextContentEnd(), mapping->GetText().length());
result_.EmitText(
StringView(mapping->GetText(), unit.TextContentStart(),
unit.TextContentEnd() - unit.TextContentStart()));
